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■ NASA Consolidated Active Directory (NCAD) 

■ Active Directory Domain 

■ Disaster Recovery 

■ OU Structure 

■ Active Directory Management Suite 

» ADMS - Directory and Resource Administrator (DRA) 
» ADMS - Group Policy Administrator (GPA) 

■ Security Monitoring of Active Directory (SMAD) 
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■ NCAD Enterprise Program 
» Active Directory Domain 
» Active Directory Management Suite (ADMS) 

» Security Monitoring of Active Directory (SMAD) 
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■ ndc.nasa.gov 

■ Single Forest; Single Domain 

■ 2008 R2 Forest and Domain Functional Level 

■ Centralized Management 

■ Domain Controllers Located at Every Center 

» Redundant DC’s - At least two at every center 
» NASA E-Mail System 
» ASA Data Center Networks 

■ NASA IP Address Management (IPAM) DNS - Primary 
» Underscore Zones Delegated 
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Continuity of Operations 
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■ AD Fully Redundant 

» Every DC has a Writable Copy of AD Database 

■ NCAD Core Systems Backed Up 

■ Core Active Directory Roles Fully Transferable 

■ Disaster Recovery 

» Fully Exercised Every 3 Years 
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■ Active Directory Account Management Provided by NASA 
Identity, Credential, and Access Management (ICAM) Team 


■ Typical Accounts OU Configuration 

■ Domain.nasa.gov 
» Accounts 

• ccl 

• cc2 

• cc3 


Note: cc = Two Letter NASA Center Code 
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■ Typical NASA Center Level OU Configuration 


■ cc 

» cc-orgl 

• cc-orgGroups 

• cc-orgSrv 

• cc-orgWS 
» cc-org2 

• cc-org2Groups 

• cc-org2Srv 

• cc-org2WS 


Note: cc = Two Letter NASA Center Code 
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Active Directory Management Suite 

(ADMS) 



■ Provides NASA Systems Administrators with the Ability to 
Manage AD Objects 

■ No Native AD Rights Required by NASA Systems 
Administrators 

■ Provides Audit Trail and Change Tracking 

■ Components: 

» NetlQ Directory and Resource Administrator (DRA) 

» NetlQ Group Policy Administrator (GPA) 
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■ Role Based Administration 

■ Proxies Rights to Manage AD Objects 

■ Core Support Infrastructure 
» Primary DRA Server 

» Agency Accessible Web Consoles 

■ DRA Server Located at Each Center 
» Web Console 

» Scripting Capability 

■ Smart Card Access 
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■ Agency Roles 

» Agency Help Desk 
» Account Administrators 

■ Center OU Roles 

» System Administrator 
» Account Administrator 1 
» Computer Support Specialist 1 and 2 
» Help Desk 

» Group Membership Management 

■ Center Sub OU Roles 

» System Administrator 
» Account Administrator 1 
» Computer Support Specialist 1 and 2 
» Group Membership Management 
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DRA OU Roles 




Type of Privileged User Roles 

Password Reset 

Add/ Delete from Groups 

Create/Delete Computer 
Accounts 

Create/ 

Delete Groups 

Help Desk 

(ND-GG-ADMS-cc-HD) 

X 




Account Administrator 1 
(N D-GG-ADMS-cc-Acctl) 


X 

(User Accounts) 



Computer Support Specialist 1 
(N D-GG-ADMS-cc-CSl) 



X 


Computer Support Specialist 2 
(N D-GG-ADMS-cc-CS2) 


X 

(Computer accounts) 

X 


System Administrator (OU Admin) 
(ND-GG-ADMS-cc-SA) 

X 

X 

(in OU and GPO groups) 

X 

X 

Group Membership Role 
(Controls membership in named security groups) 


X 

(User and Computer in Named Groups 
only) 
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■ Role Based Administration 

■ Manage and Track Changes to Group Policy Objects 

» Changes Reviewed and Approved before Export to AD 
» Allows Roll Back to Previous Version 

■ GPO’s Exported to Domain After Core Team Review 

■ Centralized Infrastructure 
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■ GPO Importer/Editor 
» Center Level Role 

» Edit or Import GPO’s in the database 

■ GPO Approver 

» Center Level Role 

» Approves GPO Changes for Their Center 

■ GPO Export 

» Role Held by Members of NASA Core AD Core Team 
» Export Approved GPO’s After Review 
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■ Security Monitoring for Active Directory (SMAD) 

» Provides Centralized Security Log Management 
» Event Monitoring, Correlation, Alerting, and Response 
» Security Reporting 

■ Designed to Monitor and Alert 

» NASA Consolidated Active Directory (NCAD) 

» Active Directory Management System (ADMS) environments 

» Security Monitoring for Active Directory (SMAD) system self 
monitoring 
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■ Server Communicates via IPSEC Tunnel to Clients 
» Uses AES Encryption for all Log Traffic 

■ All Data is Digitally Signed Before Stored 

■ SMAD Protections 

» Limited Direct Access 
» Self Monitoring 
» Separation of Roles 
» File Integrity Checking 
» Process Checking 
» Change Monitoring 
» Privileged User Monitoring 

■ Investigations 

» Incident Response 

» Tracking for Support Groups Throughout Agency 

» Additional Active Directory Team Internal Investigations 

» SMAD Team Works with NCAD and Centers Incident Response Teams 
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■ SMAD Comprised of Three COTS Components 
» NetlQ Security Manager (SM) 

• Real-time Monitoring of System Changes and User Activity 

• Detection of threats and intrusions 

• Security event management and correlation 

• Central log management 

• Incident response automation 

» NetlQ Change Guardian for Active Directory (CGAD) 

• Monitors AD and provides alerting for unmanaged changes 

• Software module for SM 

» NetlQ Change Guardian for Windows (CGW) 

• Monitors OS level, files and directories, file shares, registry and system 
processes and provides alerting 

• Software module for SM 
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■ SMAD Entered Production Status 8/12/08 

■ 6 SMAD Production Servers 

■ 92 SMAD Agents 

■ 361 ,677, 1 55 Events per week (Week of July 23 rd - 201 2) 
» AN Average of 51 ,668,165 Events/Day 

» Approx. 5,000 Alerts/Day 

• Warnings, Errors, Critical Errors, Security Breaches, 
etc... 


» PEAK 83 million Events/Day 
■ Security Log Archive Data 
» 7+ TB of Compressed Forensic Data 
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Questions? 
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Backup Slides 
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■ ACES Data Center Operations Monitoring Team 
» 24x7 

■ NCAD Patch Support 

» Windows Server Update Services (WSUS) 

» Patch Monthly based on MS Patch Release Schedule 

■ Server Health Monitoring 

» System Centers Operations Manager (SCOM) 

■ Centralized Anti-Virus Management 
» Symantec Endpoint Manager 

» Symantec Endpoint Client 
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■ 24x7 Support 

■ DRA Agency Helpdesk Role 

■ Account Unlock, Password Reset, Account Enable 
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SMAD : Purpose Cont. 




■ SMAD helps meet requirements of FISMA and NIST Standards of security review, 
reporting, and remediation planning. 


■ Of particular mention for log management, SP 800-53 — Guide for the Security 
Certification and Accreditation of Federal Information Systems 


» Within SP 800-53 are multiple controls that recommend regular review and 
monitoring of audit logs, especially within the Audit & Accountability Controls 
set, and Access Controls set. 


■ SP 800-92 


» Section 2.3.1 NIST accepts and recommends Federal Agencies to utilize 
systems that normalize and centralize logs for faster response to incidents and 
remediation. 

» Section 2.3.2 NIST specifies that host-based intrusion detections (HIDS) 
products are particularly helpful in finding patterns that humans cannot easily 
see such as correlating entries from multiple logs that relate to a single 
incident. Specifies that log analysis should be proactive not reactive. To 
achieve this logs must be reviewed in real-time or near-real-time manner. 
Without sound processes the value of the logs is significantly reduced. 
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SMAD Components: Reporting Data Flow 





Log Archive |_A 


► 



EVERY 
3 HOURS ' 



Log Ma n a g e rS umm a ry 
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Alert Response Process 






• Alert- Console and 
email 

• KB Populated with 
known issues 

• Unknown conditions 
escalated to SMAD 
SA and SMAD SE 

• SMAD SA receives 
alerts or call from 
NISC 

• Investigates and 
evaluates condition 

• Creates starting SIP 

• Initiates IR Procedure 


SMAD Hdpdesk Process 
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IR process 



• IR Process can be 
internally or 
externally initiated 

• Ticket filed with 
NISC 

• Incident opened at 
SOC 

• MSFC and center 
ITSM(s) notified 

• Data given to ITSM 

• Incident Closed with 
SOC 

• Ticket Closed 

• Resolution Phase 

• KB Updated 

• Rules Updated 

• Other policy, 
procedure 
changes if 
needed 
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• SMADSLA’s 

• First 30 minutes following a notification of a new alert : Staff is responsible 
to acknowledge the alert and decide if the alert is a false positive or 
requires further investigation 

• First 1 hour following notification: SMAD Must assign a staff member to 
investigate the alert using NAF / ADMS Support Staff as needed 

• First 1 hour following classification of Alert as an incident: 

• Severity and classification of incident with SOC by US-Cert Standards 

• Center(s) involved in the incident. (Including MSFC ITSM and OCSO) 

• SOC must be notified and an incident number assigned 

• Within 14 days: Alert must be resolved, and all technical person(s) 
completed their remediation activities 

• SMAD SA or SE will create a SMAD Incident Package (SIP). 

• SIP contains reports, events, alerts and attachments for investigation 

• During this time the internal SMAD Resolution State will be set to Level 
4 to keep the alerts active for 30 days. 

• Within 21 Days: Closeout procedure completed. 

• All Tickets closed / Incident Closed at SOC 

• Any restored logs to the log archive server have been detached and 
space allocated back to system 

• All items marked Level 4 are now marked resolved 
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• Default Rule Set 

• Each module provides default rules 

• 3,600 rules were evaluated 

• Rules were enabled, disabled, customized 

• Rule re-writes for correctness and reduce false 
positives 

• DRA and DMA Managed / Unmanaged Changes 

• Use of account tracked external to program 

• Vulnerability Manager / Intrusion Manager 

• Scripts analyze registry 

• Services and Ports monitored 

• CGAD/CGW 

• Managed / unmanaged changes 

• Track authorized / unauthorized changes 
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• Antivirus Check points 

• Self Monitoring 

• Heartbeat active 

• Self log checking 

• Archive Rule for Security Logs 

• Correlation / Collection Activity 

• Collects Suspicious Activity 

• OU Move 

• Logon Failure then Disabling Account 

• Multiple Failed logons 

• Logon Failure followed by Log Clearing 

• Successful Attacks 

• Failed logon followed by account creation 

• Account granted “act as operating system” 

• Failed admin logon followed by service account logon 

• Multiple account lockout 

• User Enabled and Disabled in Rapid Succession 
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• Customization 

• Standard Accounts Defined 

• High Profile Groups and Users Defined 

• NetlQ Optimization 

• Rules updated to properly handle user & workstation accounts 

• Custom Enhancement during Incident Resolution 

• Example: GPO Incident at a center 

• GPG Reports available needed better solution 

• New CGGP Solution only supports 32Bit DC’s 

• Custom Alerts 

• SM Event Manager to detect event 

• CGW to detect changes within /sysvol/ 
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